This document describes the security content of OS X Mountain Lion v10.8.4 and Security Update 2013-002, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

OS X Mountain Lion v10.8.4 and Security Update 2013-002

Impact: An attacker with access to a user's session may be able to log into previously accessed sites, even if Private Browsing was used

Description: Permanent cookies were saved after quitting Safari, even when Private Browsing was enabled. This issue was addressed by improved handling of cookies.

CVE-ID

CVE-2013-0982 : Alexander Traud of www.traud.de

CoreAnimation

Available for: OS X Mountain Lion v10.8 to v10.8.3

Impact: Visiting a maliciously crafted site may lead to an unexpected application termination or arbitrary code execution

Description: An unbounded stack allocation issue existed in the handling of text glyphs. This could be triggered by maliciously crafted URLs in Safari. The issue was addressed through improved bounds checking.

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: An uninitialized memory access issue existed in the handling of text tracks. This issue was addressed by additional validation of text tracks.

CVE-ID

CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation

CUPS

Available for: OS X Mountain Lion v10.8 to v10.8.3

Impact: A local user in the lpadmin group may be able to read or write arbitrary files with system privileges

Description: A privilege escalation issue existed in the handling of CUPS configuration via the CUPS web interface. A local user in the lpadmin group may be able to read or write arbitrary files with system privileges. This issue was addressed by moving certain configuration directives to cups-files.conf, which can not be modified from the CUPS web interface.

CVE-ID

CVE-2012-5519

Directory Service

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8

Impact: A remote attacker may execute arbitrary code with system privileges on systems with Directory Service enabled

Description: An issue existed in the directory server's handling of messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges. This issue was addressed through improved bounds checking. This issue does not affect OS X Lion or OS X Mountain Lion systems.

CVE-ID

CVE-2013-0984 : Nicolas Economou of Core Security

Disk Management

Available for: OS X Mountain Lion v10.8 to v10.8.3

Impact: A local user may disable FileVault

Description: A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication.

Description: OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key. Further information is available via the OpenSSL website at http://www.openssl.org/news/

Impact: Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow existed in the handling of FPX files. This issue was addressed through improved bounds checking.

CVE-ID

CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative

QuickTime

Available for: OS X Mountain Lion v10.8 to v10.8.3

Impact: Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow existed in the handling of MP3 files. This issue was addressed through improved bounds checking.

CVE-ID

CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative

Ruby

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8

Impact: Multiple vulnerabilities in Ruby on Rails

Description: Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18. This issue may affect OS X Lion or OS X Mountain Lion systems that were upgraded from Mac OS X 10.6.8 or earlier. Users can update affected gems on such systems by using the /usr/bin/gem utility.

Impact: An authenticated user may be able to write files outside the shared directory

Description: If SMB file sharing is enabled, an authenticated user may be able to write files outside the shared directory. This issue was addressed through improved access control.

CVE-ID

CVE-2013-0990 : Ward van Wanrooij

Note: Starting with OS X v10.8.4, Java Web Start (i.e., JNLP) applications downloaded from the Internet need to be signed with a Developer ID certificate. Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed.

You can use the codesign utility to sign the JNLP file, which will attach the code signature to the JNLP file as extended attributes. To preserve these attributes, package the JNLP file in a ZIP, XIP, or DMG file. Be careful using the ZIP format, as some third-party tools might not capture the required extended attributes correctly.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.